Fired head IT guy this week... need admin info and need to disable remote access!

Discussion in 'Windows Server' started by cswimc, Apr 8, 2010.

  1. cswimc

    cswimc MDL Novice

    Dec 9, 2009
    2
    0
    0
    Hopefully this is the right section to post in... but anyway, here is the problem:

    I work for a company and the owner recently fired the head IT guy (last Friday). Basically, there is a situation brewing in which the head IT guy will not give us the administrator password for the network. Along with this, the boss in worried that he may log in via remote desktop and mess around with files such as accounting records, inventory records, or just sabotage the whole system.

    Now the other question I have is how I should go about disabling the remote desktop connection first and foremost. We also need to get the administrator account information for the network. I have physical access to all computers in the network, and I have client logins for all the employees. The only issue is that none of the employee logins have administrative privileges, so I can't install / uninstall software etc. The network server is old and running on Windows Server 2003. All clients on the network are running Windows XP.

    Any suggestions? Thanks!
     
  2. Hoppyah

    Hoppyah MDL Senior Member

    Aug 12, 2009
    286
    12
    10
    cant you use nt password reset
     
  3. ennio

    ennio Guest

    Hire that guy, again. :D
     
  4. Leolo

    Leolo MDL Member

    Jan 23, 2010
    136
    27
    10
    Use ERD Commander 5.0 to reset the password. (search for "Microsoft Desktop Optimization Pack 2010-SPYRAL" in piratebay. It includes ERD Commander 5.0)

    Login to your hardware firewall and/or NAT router and close all incoming ports. Remove all "port forwardings" also. TCP port 3389 is the most important, you must block it.

    Please take a note of everything in a piece of paper before you delete or modify anything, just in case something goes wrong and you have to restore the previous values!
     
  5. sebus

    sebus MDL Guru

    Jul 23, 2008
    5,879
    1,773
    180
    Why would 3389 be the most important? Because it is M$ RDP?

    And what about all the other remote controll software that real admin would use?

    Also you need to know the password to the FW unit before you can login to it to disable anything...

    sebus
     
  6. Leolo

    Leolo MDL Member

    Jan 23, 2010
    136
    27
    10
    Well, it's commonly used because it comes with Windows so it doesn't cost extra. Most of the windows servers I've seen are managed with Remote Desktop (as long as they don't have special hardware like HP iLO or IBM Remote Supervisor)

    Nevertheless, it's much more important to configure the Firewall and/or router. If they don't have the password, he can just tell us the model and manufacturer of the device, there's usually a way to reset the admin password from the console.
     
  7. blackranger

    blackranger MDL Senior Member

    Dec 28, 2009
    453
    30
    10
    Not the wrong section to post but the wrong FORUM to post.
    Just either call the police or fire him that's all !!! :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. ennio

    ennio Guest

    Man asked for a suggestion, so I gave the best one. :D
     
  9. qes27

    qes27 MDL Novice

    Jul 30, 2009
    3
    0
    0
    Practical, at least. Sorta. :p
     
  10. ennio

    ennio Guest

    Yeah, practical. :D
     
  11. Blizz127

    Blizz127 MDL Novice

    Nov 3, 2009
    4
    0
    0
    Best solution also is to use MRI and use password reset to login to the server's local admin account and modify the accounts that way. You can always recover a password with the proper tools but the MRI way is the easiest because it will delete the administrator password all together.
     
  12. OmniBlade

    OmniBlade MDL Novice

    Oct 10, 2009
    27
    1
    0
    Is this for a domain? If so I don't believe any of the techniques here so far will give you the domain admin password, only local admin over member servers and any clients. Local admin on a domain controller only works when you are in directory restore mode, but then you won't have access to the active directory database to reset any passwords there. You would need the domain admin account to modify active directory with new users, adding new computers to the domain and such.
     
  13. FreeStyler

    FreeStyler MDL Guru

    Jun 23, 2007
    3,502
    3,613
    120
    Or shoot him ;)
     
  14. derausgewanderte

    derausgewanderte MDL Senior Member

    Jul 21, 2009
    330
    86
    10
    #16 derausgewanderte, Apr 15, 2010
    Last edited: Apr 15, 2010
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. TripleA

    TripleA MDL Novice

    Aug 9, 2009
    19
    2
    0
    Hiring such a vindictive person to such a position of trust seems to be the root problem, to me. That, or firing them in such a manner as to provoke this reaction.

    Either way, assuming said person is at all competent, I'm afraid the only real solution would be to hire someone better (and I hope, here, that the cause of the firing was not cost cutting. If it was, well, SOL comes to mind) ASAP and drop the problem in their lap. There will be a small, hopefully invisible, war and things will eventually be fixed.

    Assuming no encryption, mines and timebombs...

    In short, best of luck with that!
     
  16. abuttino

    abuttino MDL Junior Member

    Dec 26, 2008
    67
    0
    0
    People....

    If you EVER have to fire anybody, make sure you do take care of this before hand, not after you fire him.. I have seen some pretty fubared solutions where IT techs got on phones, personal email and used a keylogger to get even more information and something called a "blackhole"

    DO NOT FIRE SOMEONE BEFORE YOU HAVE PROTECTION ALREADY IN PLACE.

    If you need to change/obtain domain/AD passwords, just tell the IT guy that the boss was reading a scary article and everyone needs to change the passwords now and every week or something. And get a smart card encryption device.

    Mostly, NEVER GIVE FULL RIGHTS to IT unless you know for an absolute fact that they will not try and go for blood. This would really only apply to law enforcement or any other government job.

    Always keep the Password recovery disc in the Owner's safe and one at the local banks deposit box. Better even yet, the boss is responsible for his admin password and AD password. Never leave your business or company in the hands of an underling. EVER.
     
  17. ioniancat21

    ioniancat21 MDL Member

    Apr 27, 2008
    106
    31
    10
    The simple thing to do in this situation is call the police. Regardless of this guys situation, the fact is doing what he's doing is not legal and jail time, lawsuits and fines can follow. My advice would be to ask him one more time, with the tone of "we would like to resolve this peacefully, however, we have legal council and they've advised taking you to court along with contacting the authorities, which we prefer not to do."

    I'd figure, if he were smart, he'd realize this battle could cost him his assets and freedom if any data was stolen or destroyed and to do 5-10 years in jail just to prove a point is not time well spent in my opinion. He'd be better served cutting his losses and moving on. If anything, had he received ill treatment from your company and not did this, he could have potentially had a suit against your company for firing him if it seemed like an unfair or discriminitive decision, and with the economy as it is, he could have possibly had an argument and a leg to stand on.
     
  18. derausgewanderte

    derausgewanderte MDL Senior Member

    Jul 21, 2009
    330
    86
    10
    amen. I entirely agree with you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...